The Wannacry cryptovirus is causing global problems. As of Sunday, May 14, the virus has spread to well over 100,000 systems in over 100 countries. Version 2 is supposedly making the rounds now, the total effect of this virus is not yet known. This virus attacks unpatched systems running Windows Server 2008 or older on an SMB exploit that was patched in March 2017. The NSA had some hacking tools stolen from it which used the exploit, it is believed that this virus has been created using those tools. Wannacry encrypts the user’s files and demands a payment in bitcoin to supposedly release the files, and spreads to other visible machines using SMB. Your only true recovery is to restore your data and wipe your system, as you have no way to guarantee what changes have or have not been made to your system, even if you pay the ransom.
If you are running a true firewall (at RCT we deploy Sophos firewalls with Unified Threat Management), and have updated your systems since March 2017, you likely are not at risk for this virus. if you are running Windows 10 or Server 2012 or newer, you also have largely mitigated the risk from this virus.
It is imperative in today’s IT world to update your systems, keep offline backups, and proactively protect your network. At Rivercity Technology Services we follow the PDIR standard:
Prevent: use hardware firewalls, keep current on updates, apply port control, provide user education, apply a good patch management strategy, don’t skip firmware updates
Detect: monitor event logs, use security analytics, do statistical analytics, use anti-virus software, use tools like MBSA
Isolate: disconnect infected systems from the network immediately, do NOT power them off (destroys evidence trail). You may need to look at what was done to a system and may lose that ability if it is powered off.
Recover: restore damaged files using backups, wipe and rebuild the infected system, implement updates to fix the problem so it does not happen again
For more information including a detailed article on this cryptovirus, visit our support page.